J2EE Security for Architects

Reviewers:

Stephen de Vries

Deadline for first draft:

19/08/2006

Deadline for first review:

26/08/2006

Deadline for final draft:

11/09/2006

Deadline for final review:

20/09/2006

Design considerations

Objective:

Discuss the security implications of common J2EE architectures. This could be discussed in terms of: Authentication, Authorisation, Data Validation, Cross Site Scripting protection. Other architecture concerns such as scalability, performance and maintainability can also be mentioned, but the focus on security should not be lost.
Any other security concerns that should be addressed during the design phase should also be mentioned here.

Contributors:

Architectural considerations

EJB Middle tier

Web Services Middle tier

Spring Middle tier

Noteworthy Frameworks

Objective:

Discuss important and relevant Java security frameworks that would be useful to architects. The information should be at a suitably high level, for example, by discussing the advantages and features as well as the associated costs (direct and indirect) of using the frameworks.

Contributors:

Acegi

Commons validator

jGuard

Stinger seems to be parked for a while now, is this correct Jeff?

Stinger is

CVS HEAD is in a functional state; needs work on docs and new features Roman 00:15, 13 June 2006 (EDT)

Most web tier frameworks will prevent XSS attacks, so listing them all in this section is a bit verbose, would prefer to see them listed in the XSS section. --Stephendv 08:04, 12 June 2006 (EDT)

I think Struts should be covered too - Rohyt

Struts is important as a web framework, but there are many frameworks that provide the same functionality from a security point of view. I think it makes sense to discuss struts as a web framework in section on XSS below with the other popular web frameworks rather than give it a special place in this section which only covers security specific frameworks. --Stephendv 07:22, 18 June 2006 (EDT)

J2EE Security for Developers

Java Security Basics

Class Loading

Bytecode verifier

The Security Manager and security.policy file

I suggest we do something short here for web developers, and wait on client side apps for now Jeff Williams 09:04, 12 June 2006 (EDT)